Chapter 12: Disaster Recovery and Incident Response
Grandfather, Father, Son Method
one of the most popular methods of backup tape rotation. Three sets of tapes are rotated in this method. The most recent backup after the full backup is the Son. As newer backups are made, the Son becomes the Father, and the Father, in turn, becomes the Grandfather. At the end of each month, a full backup is performed on all systems. This backup is stored in an offsite facility for a period of one year. Each monthly backup replaces the monthly backup from the previous year. Weekly or daily incremental backups are performed and stored until the next full backup occurs. This full backup is then stored offsite, and the weekly or daily backup tapes are reused
IRP (Incident Response Plan)
outlines what steps are needed and who is responsible for deciding how to handle a situation.
Escalation of privilege
a hole created when code is executed with higher privileges then those of the user running it
There are five levels of testing tabletop exercise:
- Document Review - Walkthrough - Simulation - Parallel Test (you start up all backup systems but leave the main systems functioning) - Cutover Test (this test shuts down the main systems and has everything fail over to backup systems)
- Not disrupting operations or consuming too many resources - Definitive list of missing patches - Client-Side software Vulnerabilities are Uncovered
Benefits of credentialed scanning
Track man hours and expense
Data forensics can be a very time consuming process. Many companies base next year's budget off the current year's budget. Properly documenting time and man hours spent on forensics helps to ensure money is budgeted properly next year. Helps when planning resource needs. Based on workload, do you have enough resources to complete the job? Number of hours needed vs the expense may dictate whether you request additional FTE or contractors. Many time vendors have professional services available. Quick engagements with specific enterprise.
Take hashes
It is important to collect as much data as possible to be able to illustrate the situation, and hashes must not be left out of the equation.
identify vulnerabilities
The key element of a vulnerability scan is:
False positives
are events that aren't really incidents
chain of custody
A list of all people who came into possession of an item of evidence
Talk to witnesses
It is important to talk to as many witnesses as possible to learn exactly what happened and to do so as soon as possible after the incident.
Document Network Traffic and Logs
Look at network traffic and logs to see what information you can find there. This information can be useful in identifying trends associated with repeated attacks.
What is a good vulnerability scanner to use
Nessus
An incident response plan needs at least four of the following:
- Guideline for documenting the incident type and defining its category. - Resources used to deal with an incident - Defined roles and responsibilities for those who are involved in the investigation and response. This should identify members of the cyber-incident response team(s). - Reporting requirements and escalation procedures including a list of outside agencies that should be contacted or notified and outside experts who can be used to address issues if needed.
Six steps of any incident response process is
- Preparation - Identification - Containment - Eradication - Recovery - Lessons learned
What are the responses to two types of incidents:
- internal incidents and incidents involving law enforcement of professionals.
Offsite storage
A location away from the computer center where paper copies and backup media are kept.
Vulnerability scanning
Allows you to identify specific vulnerabilities in your network, and most penetration testers will start with this procedure so that they can identify likely targets to attack.
Backup Server Method
Servers with large amounts of disk space whose sole purpose is performing backups - Advantage: can be available online for immediate access.
Warm site
Similar to a hot site but not fully equipped with all of the necessary hardware needed for recovery which requires the customer to do more work to become operational
Record Time Offset
Since a forensic investigation is usually dependent on a step-by-step account of what has happened, being able to follow events in the correct time sequence is critical. Because of this, it is imperative to record the time offset on each affected machine during the investigation.
Business Continuity
The ability of an organization to maintain its operations and services in the face of a disruptive event.
Legal hold
The process that is used during data acquisition for the preservation of all forms of relevant information when litigation is reasonably anticipated
Black Box
The tester has absolutely no knowledge of the system and is functioning in the same manner as an outside attacker
White Box
The tester has significant knowledge of the system. This simulates an attack from an insider, a rouge employee.
After Action Report
This debriefing needs to include a sharing by team members of the steps taken, along with an open discussion of what worked and what should be changed in future crises
Gray Box
This is the middle ground between the first two types of testing. Tester has some limited knowledge of the target system
Capture Video
Video can be crucial component to documenting an investigation. Can be taken of your actions during investigation or analysis. Record what's on screen and the position and location of various components. Is there video evidence and/or security cameras inside the data center? Office or remote site? Entrance or exit of building?
access and storage of information - Back up plan is an integral part of this process
What involves a major component of a disaster-recovery plan
Windows 10
What operating system uses System Restore
- identify common misconfigurations - identifying a lack of security controls
What vulnerabilities should you identify
Hot Sites (Disaster recovery):
a location that can provide operations within hours of a failure. This type of site would have servers, networks, and telecommunications equipment in place to reestablish service in a short time. - Also referred to as active backup model
Backout
a reversion or roll back to a previous state from a change that had negative consequences
reciprocal agreements
an agreement between two companies to provide services in the event of an emergency
working copy backup (or shadow copies)
are partial or full backups that are kept at the computer center for immediate recovery purposes
CSIRT (Computer Security Incident Response Team)
can be formalized or a ad hoc team. - You can toss a team together to respond to an incident after it arises, but investing time in the development process can make an incident more manageable.
Capture screenshots
capture all relevant screenshots for later analysis. One image can often parlay the same information that it would take hundreds of log entries to equal.
Passive Reconnaissance
collecting information from public databases, talking to employees/partners, dumpster diving, and social engineering.
Active Reconnaissance
directly focuses on the system (port scans, traceroute information, network mapping, and so forth) to identify weaknesses that could be used to launch an attack
One of the most important aspects of using alternative sites is
documentation
Incident Response
encompasses forensics and refers to the process of identifying, investigating, repairing, documenting, and adjusting procedures to prevent another incident.
disaster recovery plan
helps an organization respond effectively when a disaster occurs. - Disasters may include system failure, network failure, infrastructure failure, and natural disaster.
3 types of alternate sites
hot site, a warm site, or a cold site
backup plan
identifies which information is to be stored, how it will be stored, and for what duration it will be stored
JFS (Journal File System)
includes a log file of all changes and transactions that have occurred within a set period of time (such as the last few hours)
Intrusive tests
involves breaking into the network
Escalation
involves consulting policies, consulting appropriate management, and determining how best to conduct an investigation into the incident.
Non-Intrusive Testing
involves passively testing of security controls, performing vulnerability scans and probing for weaknesses but not exploiting them
full backup
is a complete comprehensive backup of all files on a disk or server
Cold site
is a facility that isn't immediately ready to use. The organization must bring along it's equipment and network. - works well when an extended outage is anticipated - Provide the most advance planning, testing, and resources to become operational, occasionally taking up to a month to make operational.
incremental backup
is a partial backup that stores only the information that has been changed since the last full or the last incremental backup. - ex. if a full backup were performed on a Sunday night, an incremental backup done on Monday night would contain only the information that changed since Sunday night
Tabletop Exercise
is a simulation of a disaster. It is a way to check to see if your plans are ready to go.
Capture system image
is a snapshot of what exists. Capturing an image of the operating system in its exploited state can be helpful in revisiting the issue after the fact to learn more about it.
Penetration Testing
is essentially an attempt to exploit these vulnerabilities
Incident identification
is the first step in determining what has occurred in your organization.
BCP (Business Continuity Plan)
is the process of implementing policies, controls, and procedures to counteract the effects of losses, outages, or failures of critical business processes.
differential backup
it backs up any files that have been altered since the last full backup; it makes duplicate copies of files that haven't changed since the last differential backup.
alternate sites
lease or purchase a facility that is available on short notice for the purpose of restoring network or systems operations.
false positive
occurs when the scan mistakenly identifies something as a vulnerability when it is not
HSM (Hierarchical Storage Management)
provides continuous online backup by using optical or tape jukeboxes - ensures that data is being continuously backed up
CBF (Critical Business Function)
refer to those processes or systems that must be made operational immediately when an outage occurs
data sovereignty
refers to having a legal department that proactively offers advice on geographic matters - ex: This is the concept that data is subject to the laws of where it is stored and legal implications of this should factor heavily into server location selection, backup facilities, and all other aspects of business operations.
What is the NSRL (National Software Reference Library)
they collect "known, traceable software applications" through their hash values and store them in a Reference Data Set (RDS)
DAT (Digital Audio Tape)
used to store a record of changes If an outage occurs, the audit or transaction files can be rolled forward to bring the databased back to its most current sate.
credentialed vulnerability scan
uses actual network credentials to connect to systems and scan for vulnerabilities
Pivot
using another compromised system to attack another system on the same network following initial exploitation
onsite storage
usually refers to a location on the site of the computer center that is used to store information locally - These containers aren't fireproof but are indeed fire rated: specify that a container can protect its content for a specific amount of time in a given situation
Persistence
when a compromise is introduce at a different time than the attack ex. would be an employee having his or her laptop infected at a hotel while traveling for business and the company's network not being compromised until the employee is back in the office a week later and connected to the company's network.
Act in Order of Volatility
when dealing with multiple issues, address them in order of volatility (OOV), always deal with the most volatile first. - In an investigation, you want to collect everything, but some data will exist longer than others, and you cannot possibly collect all of it once. As an example, the OOV in an investigation may be RAM, hard drive data, CDs/DVDs, and printouts.
full archival method
works on the assumption that any information created on any system is stored forever. - This method effectively eliminates the potential for loss of data - This can quickly overwhelm your storage media